Skip to main content
SpringerLink
Log in

Malware detection using assembly and API call sequences

  • Original Paper
  • Published:
Journal in Computer Virology Aims and scope Submit manuscript

Abstract

One of the major problems concerning information assurance is malicious code. To evade detection, malware has also been encrypted or obfuscated to produce variants that continue to plague properly defended and patched networks with zero day exploits. With malware and malware authors using obfuscation techniques to generate automated polymorphic and metamorphic versions, anti-virus software must always keep up with their samples and create a signature that can recognize the new variants. Creating a signature for each variant in a timely fashion is a problem that anti-virus companies face all the time. In this paper we present detection algorithms that can help the anti-virus community to ensure a variant of a known malware can still be detected without the need of creating a signature; a similarity analysis (based on specific quantitative measures) is performed to produce a matrix of similarity scores that can be utilized to determine the likelihood that a piece of code under inspection contains a particular malware. Two general malware detection methods presented in this paper are: Static Analyzer for Vicious Executables (SAVE) and Malware Examiner using Disassembled Code (MEDiC). MEDiC uses assembly calls for analysis and SAVE uses API calls (Static API call sequence and Static API call set) for analysis. We show where Assembly can be superior to API calls in that it allows a more detailed comparison of executables. API calls, on the other hand, can be superior to Assembly for its speed and its smaller signature. Our two proposed techniques are implemented in SAVE) and MEDiC. We present experimental results that indicate that both of our proposed techniques can provide a better detection performance against obfuscated malware. We also found a few false positives, such as those programs that use network functions (e.g. PuTTY) and encrypted programs (no API calls or assembly functions are found in the source code) when the thresholds are set 50% similarity measure. However, these false positives can be minimized, for example by changing the threshold value to 70% that determines whether a program falls in the malicious category or not.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Similar content being viewed by others

References

  1. Christodorescu, M., Jha, S.: Static analysis of executables to detect malicious patterns. 12th USENIX Security Symposium. http://www.cs.wisc.edu/wisa/papers/security03/cj03.pdf, August 2003

  2. Dullien, T., Rolles, R.: Graph-based comparison of executable objects. IEEE Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA-2004), pp. 161–173

  3. Hofmeyr S.A., Somayaji A., Forrest S.: Intrusion detection using sequences of system calls. J. Comput. Secur. 6, 151–180 (1998)

    Google Scholar 

  4. Wespi, A., Debar, H.: Building an intrusion-detection system to detect suspicious process behavior. Rec. Adv. Intrusion Detect. (1999)

  5. Wespi, A., Dacier, M., Debar, H.: Intrusion Detection Using Variable-Length Audit Trail Patterns. Rec. Adv. Intrusion Detect. 110–129 (2000)

  6. Kang, D.-K., Fuller, D., Honavar, V.: Learning classifiers for misuse and anomaly detection using a bag of system calls representation. Proceedings of the 6th IEEE Systems, Man, and Cybernetics Workshop (IAW 05), West Point, NY, IEEE, pp. 118–125 (2005)

  7. Dictionary, http://dictionary.reference.com/search?q=obfuscation, November 2005

  8. Collberg, C., Thomborson, C.: Watermarking, tamper-proofing, and obfuscation—tools for software protection. IEEE Transactions on Software Engineering, pp. 701–746, August 2002

  9. Collberg, C., Thomborson, C., Low, D.: A Taxonomy of Obfuscating Transformations Technical Report 148, July 1997

  10. Sung, A.H., Xu, J., Chavez, P., Mukkamala, S.: Static analyzer for vicious executables (SAVE). Proceedings of 20th Annual Computer Security Applications Conference (ACSAC), pp. 326–334, IEEE Computer Society Press, ISBN 0-7695-2252-1 (2004)

  11. Wilson W.C.: Activity Pattern Analysis by means of Sequence-Alignment Methods. J. Environ. Plan. 30, 1017–1038 (1998)

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Computer Science, Institute for Complex Additive Systems Analysis, Computational Analysis and Network Enterprise Solutions, New Mexico Tech, Socorro, NM, 87801, USA

    Madhu K. Shankarapani & Srinivas Mukkamala

  2. Cyber Security Works, New Mexico Tech, Socorro, NM, 87801, USA

    Subbu Ramamoorthy & Ram S. Movva

Authors
  1. Madhu K. Shankarapani
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Subbu Ramamoorthy
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Ram S. Movva
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Srinivas Mukkamala
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Madhu K. Shankarapani.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Shankarapani, M.K., Ramamoorthy, S., Movva, R.S. et al. Malware detection using assembly and API call sequences. J Comput Virol 7, 107–119 (2011). https://doi.org/10.1007/s11416-010-0141-5

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11416-010-0141-5

Keywords

Search

Navigation